First you MUST reboot the phone, the malware is in memory.
Then capture packets on the router and see if you have connections made to the above-mentioned 3 IP addresses. Other than that no idea, as the package does not show up in any GUI app. Maybe some native Android apps have the capacity to capture its packets, but i am not sure.

Well it seems it can be uninstalled using the method from here:
https://www.reddit.com/r/Android/comments/6ftg72/want_to_completely_disableuninstall_those_pesky/
In this case the commands are these:
adb shell pm uninstall -k --user 0 com.android.telephone
adb shell pm uninstall -k --user 10 com.android.telephone
In this device it was installed both for user '10' (Guest) and the current user '0'.

I did the update. Good news.
The systemui apk file has 0/56 virustotal score!
Other than that they included some new software - Google Duo and Browser stands out at first glance.
Now i will have to see if something happens ...

Well. It seems that a firmware update was released on 2017-05-26 and pushed via the wireless update, we noticed only now.
It has 2 items in changelog: a line colored red saying "Enhanced protection against malware" and some minor bug fixes. One can hope they mean that they removed this crap.
I will apply the update later when the phone is available and report back.

I tried uploading it to virustotal and Malwarebytes does not detect it there. I would expect all mobile antivirus solutions to work with virustotal since we can get a better picture in a few seconds instead of installing a ton of anti malware apps.
BTW after the yesterday's "outbreak" i removed the "SYSTEM_ALERT_WINDOW" permission (that is the permission that lets a window cover everything permanently, used by this kind of malware to force the user to actually tap a button) from systemui and since then no more popups... May be a coincidence, may not. Will see.
adb shell pm revoke com.android.systemui android.permission.SYSTEM_ALERT_WINDOW

Well it started happening again. Now i don't know if there is another modified system/google component that has access, the systemui has built in stuff that does stuff regardless of net access or maybe NetGuard doesnt always work (after switching networks?) - one day about 2-3 weeks ago the NetGuard app probably crashed (no status icon) and for about 7 hours the phone was connected to the net with no limitations.
Today we saw that an apk was downloaded from somewhere and full screen messages started appearing.
I wonder that Chrome itself may be compromised too...
Anyway, this sucks.

Hi,
I asked Cubot too. Well i got the Exact same answer you got (in an implicit admission):
-Some Fota upgrade or No Root firewall.
Now the Fota link they sent was not working. They seem to provide the Adups Fota data collection tool (which is built in the Wireless Update tool) that besides the actulal updates can do some presonal data collection. Note that this is done surreptitiously in the background and the data us sent to the same servers the updates come from. There was a scandal about it in the US where they stopped the data collection by an update (which BTW can just as well be reversed by them).
To block this you should block net access to the Wireless Update tool.
Now on the phone i had issues with (used by my wife) i reflashed the firmware (from their site, via the wireless update local update option) then reset to defaults.
But before giving it any net access i installed NetGuard from .apk (i compiled it from source but AFAIK the play store version .apk can be downloaded too) and disabled network access to system ui, wireless update and another shady package thad has the Opera Store description but has some chinese name.
No issues were since more than a month. And as you can see above System UI tried to connect to many sites since.
But these kind of issues have to be known to the world - the chinese (people?) brands lost any trust i had. Is there a site where we get these phones listed with links to reports like these for validation?
Chinese vendors i had interacted with on AliExpress, Ebay etc all had a "slippery" attitude when something was wrong with their merchandise (anyway i buy only cheaper stuff that i afford to lose my money over) . I get it, cultural differences and all but anyway.
Customer:
Guys, you have malware installed on the phones you sell and customers store private data on.
Chinese:
Please try disabling net access of our malware with a 3rd party tool (which, if some reason is stopped, will allow the malware to run).
What the #$##? Probably they are accustomed to no privacy over there they don't even understand what we want (BTW i lived my childhood under Communism and i know how it works). But they sell stuff to people that have other needs than them.
Is that hard to provide a firmware that has no crap in it???
BTW i remembered somebody posting on Amazon i believe a screencap about a conversation about this subject with a chinese dude that went something like:
Customer: you sold a phone that sent my personal data to China
Sales rep: your data is safe with us
Customer (i believe the exact words): You are seriously typing this??
PS: Malwarebytes still does not detect this (come on, even ClamAv detects it!).